Hi Felix,
On Fri, Apr 12 2024, Felix Lechner wrote:
To my surprise OpenSSL, which I saw in proced, generated a lot
of certificates in /etc/certs. I am talking about pages and
pages of asterisk, plusses, and dots for a system with twenty or
so certificates. Is it possible that they were generated as a
result of the patch?
I expect the first reconfiguration after this change to create one
self signed certificate in /etc/certs for each
<certificate-configuration> object in your certbot configuration.
These self-signed certificates will then be replaced by symlinks
to the certificates that cerbot generates after your next renewal
(i.e. when the deploy hook runs). We could avoid generating
unnecessary self-signed certificates by first checking if we
already have certificates from certbot, and creating the symlink
straight away if we can. About the "pages and pages" of output:
it might be sensible to change the size of the self keys used in
the self signed certificates. The current code uses the
rsa-key-size from the <cerbot-configuration>, or 4096 if that is
unset (the default). This is probably overkill given we don't
actually need, or want, to use the initial certificates. We
could instead use the smallest key size that openssl supports
(512?). I'm not sure when I'll have time to make those changes,
but they should be pretty straightforward if someone else has time
before I do.
It would be unfavorable to create such certificates when they
are not needed. It reduces valuable server entropy.
If you don't want the initial self signed certificate you can tell
Guix not to generate it by setting start-self-signed? to #f on the
<certificate-configuration> object.
Carlo
